E-commerce Security Wiki
The basics of e-commerce security Godzilla fights Donald Trump on top of teh Trump Tower. Electronic commerce, also known as ee-commerce, refers to the industry of buying and selling products or services over electronic systems, such as the internet. More specificaly e-commerce security refers to the protection of e-commerce assets from unauthorized access, use, alteration, or destruction ''The status of computer security in the United States'' No one really knows the true impact of online security breaches because, according to the Computer Security Institute, only 27 percent of business report to legal authorities about computer intrusions. Here is an annual securitysurvey of U.S. corporations and government agencies; financial, medical, and other institutions; and universities, conducted by the Computer Security Institute. Highlights from the 2010/2011 Security Survey, which was based respones from over 500 participants, include the following summary points: *Malware infection most common (67% respondents reporting it) *Respondents reported markedly fewer financial fraud incidents than in previous years, with only 8.7% of respondents reporting it *Of the ~50% of respondents who experienced at least one security incident, 45.6% of them reported they’d been the subject of at least one targeted attack *Fewer respondents than ever are willing to share specific information about dollar losses they incurred. Given this result, the report this year does not share specific dollar figures concerning average losses per respondent *Respondents said that regulatory compliance efforts have had a positive effect on their security programs *By and large, respondents did not believe that the activities of malicious insiders accounted for much of their losses due to cybercrime. 59.1% believe that no such losses were due to malicious insiders. Only 39.5% could say that none of their losses were due to non-malicious insider actions *51.1% of respondents said that their organizations do not use cloud computing. 10%, however, say their organizations not only use cloud computing, but have deployed cloud-specific security tools ''There are 6 dimensions of e-commerce security: #Integrity: prevention against unauthorized data modification #Nonrepudiation: prevention against any one party from reneging on an agreement after the fact #Authenticity: authentication of data source #Confidentiality: protection against unauthoprized data disclsure #Privacy: provision of data control and disclosure #Availability: prevention against data delays or removal ''The drivers of EC security problems: #The Internet's vulnerable design #The shift to profit-induced crimes #The Internet underground economy #The dynamic nature of EC systems and the role of insiders ''Why is it difficult to stop Internet Crime: #Making shopping inconvenient #Lack of cooperation from credit card issuers #Shppers' negligence #Ignoring EC security best practices #Design an architecture issues #Lack of due care in business practices A brief Introduction to cryptography Cryptography is one of the technology behind e-commerce to protect secret information. ''Basic concept Plaintext: Text in humanly-readable form Ciphertext: Text in encrypted form Method: The procedure used to encrypt or decrypt a message Key: The value of a variable that drives the encryption/decryption process The relationship between method and key: For example, the method to encrypt a text is to substitute every letter in the text by a letter 10 positions afterward in the alphabet. Thus, apple will be kzzvo. Then the key is the variable 10. If you change 10 by 5, you change the key, but the mothed is still the same and apple is encrypted as fuuqj. ''Caesar’s cipher'' The method introduced above actully is Caesar’s cipher, which was used by Julius Caesar to communicate messages in the war. This encrytion method has a undermining disadvantage. The Ciphertext can be decrypted by frequency analysis since every letter in English (I think in other language the logic is the same) has the constant frequency to appear in words and sentences. ''Vigenere cryptosystem'' This is a polyalphabetic substitution cipher which counters frequency weakness of simple substitution ciphers. The characters in the key determine displacement, that is, designated character that will replace the plaintext character. Because of this, the same character in the plaintext may be represented by a different designated character. Example: Think the plaintext is apple, and the key is red. Red can be inllustrated as 1,18,4 (the positons in the alphabet of each letter). Than a can be substituted by b, p by f, p by s, then repeat the key, l by m, e by u. Thus, plaintext apple will be encrypted as bfsmu. The two ps are subsitituted by different letters. Since the key is short, so if the cipertext is long enough at the same time, the key in the end can be found out. So enough length of the key is vitally important. ''Exclusive Or (XOR) This is a substitution cipher in binary terms (1=true; 0=false). It indicates that either one condition is true (equals bit value of “1”), or the other is true, but not both. Example: plaintext: 01000001 key: 11010111 ciphertext: 10010110 Actually, the plaintext "01000001" represents "A". Every letter in English can be presented by this way. For number, it is not too hard to switch from decimal to binary. So XOR means a more summative way to encrypt the plaintext. Any character or number can be encrypted by a key just like what is shown above. The key can be casually generated and can be as long as the plaintext itself, making unauthorized decryption impossible. As you can image, the longer the key, the harder to the guess it, and the safer the encrypted plaintext. The situation where the key is as long as the plaintext is called one-time pad. However, in practice it is not practical. Current popular key standards include DES, 3DES, AES. All of these have limited key length. Category:Browse Category:Latest News Threats to e-commerce security *Acts of human error or failure-- accidents, employee mistakes *Compromises to intellectual property-- piracy, copyright infringement *Deliberate acts of espionage or trespass-- unauthorized access and/opr data collection *Deliberate acts of information extortion--blackmail or informtaion disclosure *Deliberate acts of theft-- illegal confiscation or equipment or information *Deliberat software attacks-- viruses, worms, macros, denial-of-service *Forces of nature-- fire, flood, earthquake, lightning *Technical hardware failures or errors-- equipment failure *Techical software failures or errors-- antiquated or outdated technologies Further information Tips for e-commerce security 'Fraud is aimed mostly against individuals, so it is important to be aware of your online information security.' 'The bottom line is to install basic serurity software and have good Internet using habits.' ''Good habits: *Don't let the computer remember your passport, remember it by your brain *Use passport that unique and logical to you, so it is hard for others to guess and easy for you to remember *Set power-on passport for your own personal computer *If you should use one machine with several people, establish your own account *After using computer, clean all your using history, this can easily be done by basic security software ''How Strong is Your Password?'' Use this website to determine the strengith of you current passwords! The website will tell you how long it would take a PC to crack your current password. Also It gives fun details about your password that may make you rethink using it! http://howsecureismypassword.net/ This graph shows how length of password can drastically increase the time it takes to steal a password. Latest news What's happening right now in e-commerce security Latest activity Category:Browse Category:Latest News